Geek Style

Tony Li has left Procket a while ago. He was a former employee of Cisco Systems and Juniper Networks before joining Procket in 1999. Currently he is working at Verio, playing ISP as he says.

In his latest interview with CNet News.com, he gave some insight into new trends he sees in the IP routing market and the Internet in general.

I would much rather be in a start-up than a large company. My style is much more about getting things done, and I prefer the freedom rather than the many layers of process that are usually necessary in a big company.

(this is what I and Tony Li have in common )

Remember rumors about Procket and Cisco? Now its official.

What Juniper is doing?

After completing the acquisition of NetScreen, Juniper is ready to make the next big moves. First of them is introduction of J Series of low-end routers (codenamed Pepsi). And the next important move (which is not confirmed by juniper yet) is acqusition of Extreme Networks.

This would be very important for Cisco Systems, since Juniper was only a competitor in high-end routers market, but after recent acqusitions and new products, they will enter the low-end router market as well as switching area.

And what about Cisco?

On the other hand, Cisco Systems is not sitting aside. Cisco is also trying to beat Juniper is high-end routing market by releasing the brand new CRS-1 (up to 92 Tbps. enough for your network?) which is a revolution from Cisco. CRS-1 is not based on old school IOS software, but on brand-new shiny Cisco IOS XR operating system. IOS XR itself is based on QNX RTOS.

And at last, “Cisco is acquiring certain assets and intellectual property from router start-up Procket Networks for about $80 million”, according to NWFusion article. I was not lucky enough to have a Procket router, but I should admit their products look very good.

Worms are hot topic of day. Blaster and Nachi are making trouble for ISPs as well as end users worldwide.
There are diffrent ways to combat these worms. If you are a network administrator utilizing Cisco gear in your network, you can reduce the effect of these worms using some simple tricks. I have already posted an article on blocking Blaster worm in a cisco router.
But blocking Nachi is a little bit tricky since it uses ICMP echo/reply to map your network and propagate its code. This will cause a heavy ICMP storm in your netowork (that you may have already noticed). The most simple way is blocking all ICMP traffic which is not a good solution and harms your customers (They won’t be able to do PING measurement in this case).

Here is what I did to protect against Nachi (in a Cisco router):

Setup your NULL0 interface like this:

!
interface Null0
no ip unreachables
!

Then make an access-list that matches ICMP echo/reply packets:

!
ip access-list extended nachi-list
permit icmp any any echo
permit icmp any any echo-reply
!

Now the trick:

!
route-map nachi permit 10
match ip address nachi-list
match length 92 92
set interface Null0
!

Fortunately, Nachi uses fixed size ICMP packets (92 bytes, including IP header) as reachability probe. Above route-map will forward all ICMP packets with size of 92 bytes to Null0 interface. Null0 will not return any unreachable code and just drops the packet.

You should put this route-map on your network interface, like this (necessary parts listed only):

!
interface FastEthernet0/0
description Connected to Local Network
ip route-cache policy
ip policy route-map nachi
!

That “ip route-cache policy” is very important because it asks the router to cache all policy-route information in order to reduce processor load. (CEF won’t be useful here).

This is the result after 5 minutes:

router#sh route-map nachi
route-map nachi, permit, sequence 10
Match clauses:
ip address (access-lists): nachi-list
length 92 92
Set clauses:
interface Null0
Policy routing matches: 190909 packets, 20236354 bytes

Congratulations! Your network is saved.

Iljitsch van Beijnum, author of my favorite book BGP, explains his experience with MS SQL worm and its effect on Cisco routers on Oreilly Network’s ONLamp.com.

Almost the same thing happened to me last week which caused complete crash on our edge router. We were running CEF but it didn’t help. After getting into router through serial console and shutting down all interfaces I found that there is sort of malformed traffic is passing through our edge router headed to internet from our local network. I didn’t even had chance to do traffic inspection on the router itself, since once I was trying to bring up the FastEthernet interface, the cpu usage on the router hits the max. So I got into the Catalyst switch and checked all connected interfaces for abnormal traffic pattern, and I found it! It was an infected MS SQL host inside our network.

Folks, please keep your windows box up to date. This is serious.

While Blaster worm is discovering vulnerable windows machines as fast as possible, I did what I had to do very long time ago, and it was blocking NetBios in our network border:

edge#show access-list forbid
Extended IP access list forbid
deny tcp any any range 135 139 (8588631 matches)
deny udp any any range 135 netbios-ss (425993 matches)
deny tcp any any eq 4444 (45 matches)
deny udp any any eq tftp (4 matches)
permit ip any any (24505712 matches)

Oops! too many netbios requests for just two hours! And this is how we blocked all Blaster’s junk traffic in our network. A filter like the one shown above has been applied to borders, and done. In one case it just dropped more than 6mbps on a link. It’s horrible.

Enable internet connection firewall if you are using XP, and get this tool to check your system health and remove the worm if your workstation is infected. And then update your windows with all security patches available on Microsoft Window Update website.

Definite solution: Get FreeBSD and set your computer free! (Geeks Only)

Resolution: We don’t need NetBios, We don’t like Microsoft.